KB5031364 Cumulative Update for Windows Server 2022

KB5031364 is the cumulative update for Windows Server 2022. The update was released under the ‘Patch Tuesday’ initiative of Microsoft on 10 October 2023.

Salient points

• KB5031364 has now been superseded by KB5032198 for Windows Server 2022. You can read more about KB5032198 on this page.
• KB5031364 is a cumulative update that supersedes KB5030216.
• KB5030216 was released in September 2023. You can read more about KB5030216 on this page.
• KB5031364 corresponds to server build 20348.2031.
• KB5030216 corresponds to server build 20348.1970.
• When you upgrade from KB5030216 to KB5031364, you progress from server build 1970 to 2031.
• Servicing Stack update 20348.2032 corresponds to KB5031364. This Servicing Stack Update is included in the main cumulative update. No separate installation of the Servicing Stack Update is required for Windows Server 2022.
• 79 security vulnerabilities have been reported for Windows Server 2022 in the October 2023 security bulletin released by Microsoft on 10 October 2023.
• 2 zero-day threats affect Windows Server 2022 and Windows Server 2022 Server Core installation. These include the CVE-2023-44487 which calls for immediate mitigation or patching.
• There are 12 CRITICAL vulnerabilities that affect Windows Server 2022. These threats have been listed in the vulnerabilities section below.

Download KB5031364

KB5031364 can be applied through an automated deployment process. Or, you could install KB5031364 manually. We discuss both approaches below.

For automated patch application on Windows Server 2022, you could use one of the following methods:

• Windows Update
• Windows Update for Business
• WSUS or Windows Server Update Service

WSUS remains the best and most preferred method to roll out updates periodically and automatically on Windows Server 2022.

Since the Servicing Stack Update 20348.2032 is part of the main update, no separate installation of the SSU is needed on Windows Server 2022.

You can also install KB5031364 on Windows Server 2022 manually. For manual installation, you need to follow a single-step process to download and apply the patch.

You need to download an offline installer file for KB5031364. This file can be downloaded from the Microsoft Update Catalog site. Or, you could use the direct download link for KB5031364 to download the offline installer file.

The offline installer files for KB5031364 are available for Windows Server 2022 version 21H2 and Windows Server 2022 version 22H2. You need to pick the right installer file, depending on the server version in use.

We have shared both links below for your ready reference for the patch KB5031364.

• Download KB503164 from Microsoft Update Catalog – you can download the KB5031364 file for Windows Server 2022 version 21H2 and version 22H2 from this page.
• Direct download link for KB5031364 for Windows Server 2022 version 21H2
• Direct download link for KB5031364 for Windows Server 2022 version 22H2

The size of the KB5031364 installer file for Windows Server 2022 version 21H2 and 22H2 is 358 MB.

The server will reboot to complete the deployment process for the cumulative update. So, we strongly suggest carrying out the implementation under an organized change process within the IT infrastructure.

Vulnerabilities

There are 79 security vulnerabilities on Windows Server 2022 as per the October 2022 security bulletin released by Microsoft. We restrict our discussion to the zero-day threats and CRITICAL threats for Windows Server 2022.

There are 2 zero-day threats and 12 CRITICAL vulnerabilities on Windows Server 2022. We list these below.

Zero-day vulnerabilities

There are 2 zero-day vulnerabilities on Windows Server 2022. Zero-day threats require immediate mitigation or patching. This is because the zero-day threats have been publicly disclosed. Or, these threats have already been exploited by the various threat actors.

The two zero-day threats on Windows Server 2022 are:

CVE Vulnerability	Severity	CVSS Score	Impact	Comments
CVE-2023-36563	IMPORTANT	6.5	Information Disclosure	Exploiting this vulnerability could allow the disclosure of NTLM hashes.
CVE-2023-44487	IMPORTANT	6.5	Denial of Service	HTTP/2 Rapid Reset Attack

For CVE-2023-44487, Microsoft has also released a registry key for mitigation. To mitigate CVE-2023-44487, you can also set the limit of the RST_STREAMS per minute using the new registry keys in this update.

Registry key	Default value	Valid value range	Registry key function
Http2MaxClientResetsPerMinute	400	0–65535	Sets the allowed number of resets (RST_STREAMS) per minute for a connection. When you reach this limit, a GOAWAY message is sent to client for the connection.
Http2MaxClientResetsGoaway	1	0-1	Disables or enables the GOAWAY message to send when you reach the limit. If you set this to 0, the connection ends as soon as you reach the limit.

CRITICAL vulnerabilities

There are 12 security vulnerabilities that affect Windows Server 2016 under the October 2023 security bulletin released by Microsoft. All these vulnerabilities show the following characteristics:

• These CRITICAL vulnerabilities are either on account of the Microsoft Messaging Queue service or the Layer 2 Tunneling Protocol.
• All these vulnerabilities can cause an impact of ‘Remote Code Execution’.

The 12 CRITICAL security vulnerabilities on Windows Server 2022 are shared hereunder:

CVE Details	CVSS Score	Comments
CVE-2023-35349	9.8	This vulnerability affects the Microsoft Message Queuing. Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely execute code on the target server.
CVE-2023-36697	6.8	This vulnerability affects the Microsoft Message Queuing. Successful exploitation of this vulnerability could allow an authenticated domain user to remotely execute code on the target server
CVE-2023-36718	7.8	This vulnerability could lead to a contained execution environment escape on the Microsoft Virtual Trusted Platform Module.
CVE-2023-41774	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2023-41773	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2023-41771	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2023-41770	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2023-41769	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2023-41768	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2023-41767	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2023-41765	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.
CVE-2023-38166	8.1	This vulnerability affects the Layer 2 Tunneling protocol. An unauthenticated attacker could send a specially crafted protocol message to a Routing and Remote Access Service (RRAS) server, which could lead to remote code execution (RCE) on the RAS server machine.

IIS Vulnerability

There is a CVSS 9.8 vulnerability on the IIS Server running on Windows Server 2022. This vulnerability has an IMPORTANT severity level. The details of the vulnerability are shared below:

CVE Vulnerability	Severity	CVSS Score	Impact	Comments
CVE-2023-36434	IMPORTANT	9.8	Elevation of Privileges	In a network-based attack, an attacker could brute force user account passwords to log in as that user. Microsoft suggests using complex or strong passwords to protect against this vulnerability.

KB5031364 – Changelog

The following changes are part of the KB5031364 cumulative update for Windows Server 2022:

• New! This update adds Azure Arc Optional Component related links to Server Manager. Now, you can turn on Arc on your servers. You do not need to run a PowerShell script.
• New! This update completes the work to comply with the GB18030-2022 requirements. It removes and remaps characters for Microsoft Wubi input and Microsoft Pinyin U-mode input. You can no longer enter character codepoints that are not supported. All the required codepoints are up to date.
• This update addresses a race condition. This occur when codepages load during the early part of startup. This leads to stop error a 0x7e.
• This update changes the spelling of Ukraine’s capital from Kiev to Kyiv.
• This update supports daylight saving time (DST) changes in Greenland.
• This update addresses an issue that affects scheduled tasks. Tasks that call the credential manager API might fail. This occurs if you select [Run only when user is logged on] and [Run with highest privileges].
• This update addresses an issue that affects Kerberos delegation. It might fail in the wrong way. The error code is 0xC000006E (STATUS_ACCOUNT_RESTRICTION). This issue might occur when you mark the intermediate service account as “This account is sensitive and cannot be delegated” in Active Directory. Applications might also return the error message, “System.Security.Authentication.AuthenticationException: Failed to initialize security context. Error code was -2146893042.”
• This update addresses an issue that affects PCI devices. You might get an error when you turn on Kernel Direct Memory Access (DMA) protection.
• This update improves the efficiency and performance of the Recommended Troubleshooter.
• This update affects Windows Filtering Platform (WFP) connections. The redirect diagnostics for them has improved.
• This update addresses an issue that affects external binding. It fails. This occurs after you install Windows updates dated May 2023 or later. Because of this, there are issues that affect LDAP queries and authentication.
• This update affects Active Directory event ID 1644 processing. It now accepts events that are more than 64 KB in length. This change truncates Lightweight Directory Access Protocol (LDAP) queries that are in event 1644 to 20000 characters by default. You can configure the 20K value using the registry key “DEFAULT_DB_EXPENSIVE_SEARCH_FILTER_MAX_LOGGING_LENGTH_IN_CHARS.”
• This update addresses an issue that affects those who enable the “Smart Card is Required for Interactive Logon” account option. When RC4 is disabled, you cannot authenticate to Remote Desktop Services farms. The error message is, “An authentication error has occurred. The requested encryption type is not supported by the KDC.”
• This update addresses an issue that affects I/O over Server Message Block (SMB). It might fail when you use the LZ77+Huffman compression algorithm.
• This update addresses an issue that affects the Server Message Block (SMB) client. It does not reconnect all the persistent handles when the reauthentication of a session fails.

For more details about KB5031364, you can also refer to the Microsoft release document for KB5031364.